Oracle® Fusion Middleware Application Security Guide 11g Release 1 (11.1.1) Part Number E10043-08 |
|
|
View PDF |
This appendix contains reference information that you will need when developing applications for LDAP directories based on the User and Role APIs. It contains these sections:
Note:
IBM Tivoli directory parameters are the same as those specified for openLDAP.Microsoft ADAM parameters are the same as those specified for Microsoft Active Directory.
Table D-1 lists each user attribute in UserProfile.property and its corresponding attribute in the different directory servers.
Table D-1 User Attributes in UserProfile.Property
Attribute | Oracle Internet Directory | Oracle WebLogic Server Embedded LDAP | Microsoft Active Directory | Oracle Directory Server Enterprise Edition | Novell eDirectory | OpenLDAP |
---|---|---|---|---|---|---|
GUID |
orclguid |
uid |
objectguid |
nsuniqueid |
guid |
entryuuid |
USER_ID |
username (see Note below) |
uid |
uid |
uid |
uid |
uid |
DISPLAY_NAME |
displayname |
displayname |
displayname |
displayname |
displayname |
displayname |
BUSINESS_EMAIL |
|
|
|
|
|
|
DESCRIPTION |
description |
description |
description |
description |
description |
description |
EMPLOYEE_TYPE |
employeeType |
employeeType |
employeeType |
employeeType |
employeeType |
employeeType |
DEPARTMENT |
departmentnumber |
departmentnumber |
departmentnumber |
departmentnumber |
departmentnumber |
departmentnumber |
DATE_OF_BIRTH |
orcldateofbirth |
- |
- |
- |
- |
- |
BUSINESS_FAX |
facsimiletelephonenumber |
facsimiletelephonenumber |
facsimiletelephonenumber |
facsimiletelephonenumber |
facsimiletelephonenumber |
facsimiletelephonenumber |
BUSINESS_CITY |
l |
l |
l |
l |
l |
l |
BUSINESS_COUNTRY |
c |
c |
c |
c |
c |
c |
DATE_OF_HIRE |
orclhiredate |
- |
- |
- |
- |
- |
NAME |
cn |
uid |
cn |
uid |
cn |
cn |
PREFERRED_LANGUAGE |
Preferredlanguage |
preferredlanguage |
preferredlanguage |
preferredlanguage |
preferredlanguage |
preferredlanguage |
BUSINESS_POSTAL_ADDR |
postaladdress |
postaladdress |
postaladdress |
postaladdress |
postaladdress |
postaladdress |
MIDDLE_NAME |
orclmiddlename |
- |
- |
- |
- |
- |
ORGANIZATIONAL_UNIT |
ou |
ou |
ou |
ou |
ou |
ou |
WIRELESS_ACCT_NUMBER |
orclwirelessaccountnumber |
- |
- |
- |
- |
- |
BUSINESS_PO_BOX |
postofficebox |
postofficebox |
postofficebox |
postofficebox |
postofficebox |
postofficebox |
BUSINESS_STATE |
St |
st |
st |
st |
st |
st |
HOME_ADDRESS |
Homepostaladdress |
homepostaladdress |
homepostaladdress |
homepostaladdress |
homepostaladdress |
homepostaladdress |
NAME_SUFFIX |
Generationqualifier |
generationqualifier |
generationqualifier |
generationqualifier |
generationqualifier |
generationqualifier |
BUSINESS_STREET |
street |
street |
street |
street |
street |
street |
INITIALS |
initials |
initials |
initials |
initials |
initials |
initials |
USER_NAME |
username (see Note below) |
uid |
samaccountname |
uid |
uid |
uid |
BUSINESS_POSTAL_CODE |
postalcode |
postalcode |
postalcode |
postalcode |
postalcode |
postalcode |
BUSINESS_PAGER |
pager |
pager |
pager |
pager |
pager |
pager |
LAST_NAME |
sn |
sn |
sn |
sn |
sn |
sn |
BUSINESS_PHONE |
telephonenumber |
telephonenumber |
telephonenumber |
telephonenumber |
telephonenumber |
telephonenumber |
FIRST_NAME |
givenname |
givenname |
givenname |
givenname |
givenname |
givenname |
TIME_ZONE |
orcltimezone |
- |
- |
- |
- |
- |
MAIDEN_NAME |
orclmaidenname |
- |
- |
- |
- |
- |
PASSWORD |
userpasssword |
userpasssword |
userpasssword |
userpasssword |
userpasssword |
userpasssword |
DEFAULT_GROUP |
orcldefaultprofilegroup |
- |
- |
- |
- |
- |
ORGANIZATION |
o |
o |
o |
o |
o |
o |
HOME_PHONE |
homephone |
homephone |
homephone |
homephone |
homephone |
homephone |
BUSINESS_MOBILE |
mobile |
mobile |
mobile |
mobile |
mobile |
mobile |
UI_ACCESS_MODE |
orcluiaccessibilitymode |
- |
- |
- |
- |
- |
JPEG_PHOTO |
jpegphoto |
jpegphoto |
jpegphoto |
jpegphoto |
jpegphoto |
jpegphoto |
MANAGER |
manager |
manager |
manager |
manager |
manager |
manager |
TITLE |
title |
title |
title |
title |
title |
title |
EMPLOYEE_NUMBER |
employeenumber |
employeenumber |
employeenumber |
employeenumber |
employeenumber |
employeenumber |
LDUser.PASSWORD |
userpassword |
userpassword |
userpassword |
userpassword |
userpassword |
userpassword |
Note:
username* : typically uid, but technically, the attribute designated by the orclCommonNicknameAttribute in the subscriber's oraclecontext products common entry.Table D-2 lists each role attribute in UserProfile.property and its corresponding attribute in different directory servers.
Table D-2 Role Attribute Values in LDAP Directories
Role Attribute | Oracle Internet Directory |
Oracle WebLogic Server Embedded LDAP | Microsoft Active Directory | Oracle Directory Server Enterprise Edition | Novell eDirectory | OpenLDAP |
---|---|---|---|---|---|---|
DISPLAY_NAME |
displayname |
- |
displayname |
displayname |
displayname |
displayname |
MANAGER |
- |
- |
- |
- |
- |
- |
NAME |
cn |
cn |
cn |
cn |
cn |
cn |
OWNER |
owner |
owner |
- |
Owner |
- |
owner |
GUID |
orclguid |
cn |
objectguid |
NSuniqueid |
guid |
entryuuid |
This section lists parameters for which the APIs can use default configuration values, and the source of the value in different directory servers.
Table D-3 lists the source for Oracle Internet Directory and Microsoft Active Directory.
Table D-3 Default Values - Oracle Internet Directory and Microsoft Active Directory
Parameter | Oracle Internet Directory |
Active Directory |
---|---|---|
RT_USER_OBJECT_CLASSES |
#config |
{"user" } |
RT_USER_MANDATORY_ATTRS |
#schema |
#schema |
RT_USER_CREATE_BASES |
#config |
cn=users,<subscriberDN> |
RT_USER_SEARCH_BASES |
#config |
<subscriberDN> |
RT_USER_FILTER_OBJECT_CLASSES |
#config |
{"user"} |
RT_USER_SELECTED_CREATE_BASE |
#config |
cn=users,<subscriberDN> |
RT_GROUP_OBJECT_CLASSES |
#config |
{"group" } |
RT_GROUP_MANDATORY_ATTRS |
#schema |
#schema |
RT_GROUP_CREATE_BASES |
#config |
<subscriberDN> |
RT_GROUP_SEARCH_BASES |
#config |
<subscriberDN> |
RT_GROUP_FILTER_OBJECT_CLASSES |
#config |
{"group"} |
RT_GROUP_MEMBER_ATTRS |
"uniquemember", "member" |
"member" |
RT_GROUP_SELECTED_CREATE_BASE |
#config |
<subscriberDN> |
RT_GROUP_GENERIC_SEARCH_BASE |
<subscriber-DN> |
<subscriberDN> |
RT_SEARCH_TYPE |
#config |
#config |
ST_SUBSCRIBER_NAME |
#config |
NULL |
ST_USER_NAME_ATTR |
#config |
cn |
ST_USER_LOGIN_ATTR |
#config |
samaccountname |
ST_GROUP_NAME_ATTR |
#config |
cn |
ST_MAX_SEARCHFILTER_LENGTH |
500 |
500 |
ST_BINARY_ATTRIBUTES |
Choose a Binary Basic Attribute (BBA) See note below about BBAs. |
Binary Basic Attribute (BBA)+{ "objectguid" , "unicodepwd" } See note below about BBAs. |
ST_LOGGER_NAME |
oracle.idm.userrole |
oracle.idm.userrole |
Notes:
The Basic Binary Attributes include: {"photo", "personalsignature", "audio","jpegphoto", "javaserializeddata", "thumbnailphoto", "thumbnaillogo", "userpassword", "usercertificate", "cacertificate", "authorityrevocationlist", "certificaterevocationlist", "crosscertificatepair", "x500UniqueIdentifier"}
#config is extracted from the meta information present in the directory
#schema is extracted from the schema in the directory
Table D-4 lists the source for Oracle Directory Server Enterprise Edition and Novell eDirectory.
Table D-4 Default Values - Oracle Directory Server Enterprise Edition and Novell eDirectory
Parameter | Oracle Directory Server Enterprise Edition | Novell eDirectory |
---|---|---|
RT_USER_OBJECT_CLASSES |
{"inetorgperson", "person", "organizationalperson" } |
{ "person", "inetorgperson", "organizationalPerson", "ndsloginproperties" } |
RT_USER_MANDATORY_ATTRS |
#schema |
#schema |
RT_USER_CREATE_BASES |
ou=people,<subscriberDN> |
ou=users,<subscriberDN> |
RT_USER_SEARCH_BASES |
<subscriberDN> |
<subscriberDN> |
RT_USER_FILTER_OBJECT_CLASSES |
{"inetorgperson", "person", "organizationalperson" } |
{ "person", "inetorgperson", "organizationalPerson", "ndsloginproperties" } |
RT_USER_SELECTED_CREATE_BASE |
ou=people,<subscriberDN> |
ou=users,<subscriberDN> |
RT_GROUP_OBJECT_CLASSES |
"groupofuniquenames" |
{"group" } |
RT_GROUP_MANDATORY_ATTRS |
#schema |
#schema |
RT_GROUP_CREATE_BASES |
ou=groups,<subscriberDN> |
ou=groups,<subscriberDN> |
RT_GROUP_SEARCH_BASES |
<subscriberDN> |
<subscriberDN> |
RT_GROUP_FILTER_OBJECT_CLASSES |
{"groupofuniquenames"} |
{"group"} |
RT_GROUP_MEMBER_ATTRS |
"uniquemember" |
"member" |
RT_GROUP_SELECTED_CREATE_BASE |
ou=groups,<subscriberDN> |
ou=groups,<subscriberDN> |
RT_GROUP_GENERIC_SEARCH_BASE |
<subscriber-DN> |
<subscriberDN> |
RT_SEARCH_TYPE |
#config |
#config |
ST_SUBSCRIBER_NAME |
NULL |
NULL |
ST_USER_NAME_ATTR |
uid |
cn |
ST_USER_LOGIN_ATTR |
uid |
cn |
ST_GROUP_NAME_ATTR |
cn |
cn |
ST_MAX_SEARCHFILTER_LENGTH |
500 |
500 |
ST_BINARY_ATTRIBUTES |
Choose a Binary Basic Attribute (BBA) See note below about BBAs. |
Binary Basic Attribute (BBA)+{ "guid"} See note below about BBAs. |
ST_LOGGER_NAME |
oracle.idm.userrole |
oracle.idm.userrole |
Notes:
The Basic Binary Attributes include: {"photo", "personalsignature", "audio","jpegphoto", "javaserializeddata", "thumbnailphoto", "thumbnaillogo", "userpassword", "usercertificate", "cacertificate", "authorityrevocationlist", "certificaterevocationlist", "crosscertificatepair", "x500UniqueIdentifier"}
#config is extracted from the metainformation present in the directory
#schema is extracted from the schema in the directory
Table Table D-5 lists the parameters for OpenLDAP and Oracle Virtual Directory.
Table D-5 Default Values - OpenLDAP and Oracle Virtual Directory
Parameter | OpenLDAP | Oracle Virtual Directory |
---|---|---|
RT_USER_OBJECT_CLASSES |
{"inetorgperson", "person", "organizationalperson" } |
{"inetorgperson"} |
RT_USER_MANDATORY_ATTRS |
#schema |
#schema |
RT_USER_CREATE_BASES |
ou=people,<subscriberDN> |
<subscriberDN> |
RT_USER_SEARCH_BASES |
<subscriberDN> |
<subscriberDN> |
RT_USER_FILTER_OBJECT_CLASSES |
{"inetorgperson", "person", "organizationalperson" } |
{"inetorgperson"} |
RT_USER_SELECTED_CREATE_BASE |
ou=people,<subscriberDN> |
<subscriberDN> |
RT_GROUP_OBJECT_CLASSES |
"groupofuniquenames" |
{"groupofuniquenames"} |
RT_GROUP_MANDATORY_ATTRS |
#schema |
#schema |
RT_GROUP_CREATE_BASES |
ou=groups,<subscriberDN> |
<subscriberDN> |
RT_GROUP_SEARCH_BASES |
<subscriberDN> |
<subscriberDN> |
RT_GROUP_FILTER_OBJECT_CLASSES |
"groupofuniquenames" |
{"groupofuniquenames"} |
RT_GROUP_MEMBER_ATTRS |
"uniquemember" |
"uniquemember" |
RT_GROUP_SELECTED_CREATE_BASE |
ou=groups,<subscriberDN> |
<subscriberDN> |
RT_GROUP_GENERIC_SEARCH_BASE |
<subscriber-DN> |
<subscriberDN> |
RT_SEARCH_TYPE |
#config |
#config |
ST_SUBSCRIBER_NAME |
NULL |
#config (namingcontexts) |
ST_USER_NAME_ATTR |
uid |
cn |
ST_USER_LOGIN_ATTR |
uid |
cn |
ST_GROUP_NAME_ATTR |
cn |
cn |
ST_MAX_SEARCHFILTER_LENGTH |
500 |
500 |
ST_BINARY_ATTRIBUTES |
Choose a Binary Basic Attribute (BBA) See note below about BBAs. |
Binary Basic Attribute (BBA)+{ "guid"} See note below about BBAs. |
ST_LOGGER_NAME |
oracle.idm.userrole |
oracle.idm.userrole |
Notes:
The Basic Binary Attributes include: {"photo", "personalsignature", "audio","jpegphoto", "javaserializeddata", "thumbnailphoto", "thumbnaillogo", "userpassword", "usercertificate", "cacertificate", "authorityrevocationlist", "certificaterevocationlist", "crosscertificatepair", "x500UniqueIdentifier"}
#config is extracted from the meta information present in the directory
#schema is extracted from the schema in the directory
Table D-6 lists the parameters for Oracle WebLogic Server LDAP.
Table D-6 Default Values - Oracle WebLogic Server LDAP
Parameter | Oracle WebLogic Server Embedded LDAP |
---|---|
RT_USER_OBJECT_CLASSES |
{"inetorgperson", "person", "organizationalperson", "wlsUser"} |
RT_USER_MANDATORY_ATTRS |
#schema |
RT_USER_CREATE_BASES |
{"ou=people,<subscriberDN>"} |
RT_USER_SEARCH_BASES |
{"ou=people,<subscriberDN>"} |
RT_USER_FILTER_OBJECT_CLASSES |
{"inetorgperson", "wlsUser"} |
RT_USER_SELECTED_CREATE_BASE |
ou=people,<subscriberDN> |
RT_GROUP_OBJECT_CLASSES |
{"top","groupofuniquenames","groupOfURLs"} |
RT_GROUP_MANDATORY_ATTRS |
#schema |
RT_GROUP_CREATE_BASES |
{"ou=groups,<subscriberDN>"} |
RT_GROUP_SEARCH_BASES |
{"ou=groups,<subscriberDN>"} |
RT_GROUP_FILTER_OBJECT_CLASSES |
{"top","groupofuniquenames","groupOfURLs"} |
RT_GROUP_MEMBER_ATTRS |
"uniquemember" |
RT_GROUP_SELECTED_CREATE_BASE |
ou=groups,<subscriberDN> |
RT_GROUP_GENERIC_SEARCH_BASE |
<subscriberDN> |
RT_SEARCH_TYPE |
#config |
ST_SUBSCRIBER_NAME |
#config (namingcontexts) |
ST_USER_NAME_ATTR |
uid |
ST_USER_LOGIN_ATTR |
uid |
ST_GROUP_NAME_ATTR |
cn |
ST_MAX_SEARCHFILTER_LENGTH |
500 |
ST_BINARY_ATTRIBUTES |
*(BBA) See note below about BBAs. |
ST_LOGGER_NAME |
oracle.idm.userrole |
Active Directory requires connections to be SSL-enabled when setting sensitive information like passwords. Therefore, operations like creating a user (which set the password) will not succeed if the connection is not SSL-enabled.